Great News In The Battle Against Tech Support Scams

November 10, 2014 the Federal Trade Commission along with local Delray Beach Florida law enforcement raided the facilities of OMG Tech Help and Vast Tech Support; effectively closing down these and related businesses for engaging in deceptive business practices by running “a multi-million dollar computer repair scheme that exploits consumers’ fears about computer viruses, malware and other security threats.”

This is a huge win for consumers who, as the TRO Motion makes clear, have been bilked out of millions of dollars by fraudsters tricking people into paying for unnecessary tech support services or software. Included in the TRO is “an asset freeze” to allow for “equitable relief” for those victimized by this scam.

Tech support scams have been a growing industry in the past few years and we’ve written about them several times. Our advice has always been the same, take your computer or server to someone local, don’t trust the calls, emails or popups you receive.

For more information on how these scams are perpetrated read our article Tech Support Scams - Don't be a Victim. 

In the case of OMG Tech Help and Vast Tech Support the scam works through a free downloadable program called PC HealthBoost (see above image); the software was developed by and is maintained by Boost Software of Massachusetts and they are included in the TRO. The software is marketed, if you can call it that, through paid for ads and popups on websites.

pc-healthboost Screenshot of PC HealthBoost software scam.[/caption]

From the FTC, “Upon downloading a free version of the product, the product automatically initiates a bogus computer system scan that invariably detects hundreds or thousands of purported “errors ” in need of repair. PC HealthBoost’s bogus free scan falsely identifies innocuous and helpful files as “errors”. The Boost Defendants then offer consumers the opportunity to “fix” these errors by downloading the paid version of the software for $29.97. After duping consumers into purchasing the paid version of PC HealthBoost, the software instructs consumers to call a toll free phone number to activate the product.”

For details on some of the innocuous items identified as errors, as well as how the remote access section of the scam works see our article.

It is through the need to activate the product that the scam transitions from Boost Software to OMG Tech Help and Vast Tech Support. Now you’re in the hands of the next step of the scheme to “extract additional money from unsuspecting consumers”.

As a part of the activation the telemarketer finds a way to get you to allow them to have remote access. Once remote access was gained to the intended victims’ computers they “tricked consumers into believing that their computers are riddled with problems and in imminent danger of crashing, the telemarketers then pitch the services of technicians, including repairs and long-term maintenance programs. The Vast Defendants recommend and charge for repairs even when computers are in good working order and have no issues. Through the course of the scheme, the Boost and Vast Defendants have caused more than $22 million in consumer injury.” (emphasis added)

Vast is reported to have operated under multiple dbas including OMG Tech Help, OMG Total Protection, OMG Back Up, dowloadsoftware.com and softwaretechsupport.com.

To put that $22 million in consumer injury into perspective, consider the President of OMG Tech Help Jon-Paul Vasta’s LinkedIn Profile.

Vast Vast_Experience

That's $22 million in not even 3 years of running this scam.

Near the end the TRO gives us another encouraging bit of information, “Before founding Vast, JP Vasta worked for Inbound Call Experts, another computer repair scheme operating out of Boca Raton subject to an FTC and State of Florida enforcement action filed simultaneously with this case.”

While it is good news that it appears a second computer repair scheme is also out of business the damage caused by Inbound Call Experts dba Advanced Tech Support, appears to be even larger than OMG Tech Help. Consumer’s reported paying $150 – $500 for each phony repair, coming to a total of nearly $100 million in revenue from consumers.

Employer review site GlassDoor.com may offers a glimpse at what Inbound Call Experts was all about. From September 2, 2014 “Former Employee…you feel like you are taking money from people who don’t have it for things they don’t need.”

The related companies in the Inbound Call Experts case are coast to coast, from Advanced Tech Support in Florida to PC Cleaner, Inc. and Netcom3, Inc. in California. The combined defendants had approximately 150 domains that they would use to lure victims in. The domains include:

  • freetechsupport.com
  • advancedtechsupport.com
  • malwareexperts.com
  • pcmri.com
  • pcmriforlife.com
  • superpcsupport.com
  • pcvitalware.com
  • fix22.com
  • fixme1.com

These defendants would “partner with computer security software companies to purportedly provide technical support for particular software. In those instances, unbeknownst to the consumer the defendants pay for the phone number that appears on the software partner’s website. When consumers call the software company for assistance with a particular product, rather than reaching that software developer, they reach ICE/ATS.”

One of the downloadable programs offered specifically by PC Cleaner, Inc. which claims to show infections, but instead uses false information to trick the victim has been downloaded by users more than 450,000 times between 2011 and 2013 per the FTC filing.

This is great news for consumers everywhere! But remember these two aren't the only companies working this scam online. It’s always best to take your computer to a local trusted company!

Top Speed Computer Service's South Reno Office Top Speed's South Reno Office

Read more...

Operation Pawn Storm - Social Engineering Leaves Everyone Vulnerable to Cyber Attacks

If you've ever felt angry, irritated or upset at yourself for falling for some cleverly worded email and clicking on the attachment thereby infecting your computer or your company's network with something awful, you're not alone!

The point of social engineering is both to get around standard network security setups and to dupe individuals at all levels into opening that email attachment or entering their credentials into that look-alike site.

Operation Pawn Storm is a study done by TrendMicro into "economic and political espionage attacks instigated by a group of threat actors primarily targeting military, embassy, and defense contractor personnel from the United States and its allies."  Looking at the list of targets it's clear that this is a group with heightened security concerns and those most of us would imagine are well equipped to fend off cyber-attacks, but the reality is they are just as susceptible to a cleverly worded email as the rest of us.  And no amount of available money put into network infrastructure can full mitigate human error.

Included in the study as targets are ACADEMI - defense contractor formerly known as Blackwater, SAIC, the Organization for Security and Co-operation in Europe, the Ministry of Defense in France, broadcasting companies, Ministry of Defense in Hungary, Polish government employees, United States Department of State and the Vatican Embassy in Iraq.

So how were these individuals tricked?  The simple answer is exact same way the attackers trick everyone else.  Spear-phishing schemes, carefully worded emails, and slightly changed / redirected domains.

Examples from Trend Micros report:

The Ministry of Defense in Hungary was tricked using an upcoming Exhibition / Conference.  The attackers purchased a domain similar to the actual conference and created a similar website then sent out targeted emails to those who could be expected to attend from Hungary.

  • Real conference domain - eurosatory.com
  • Malicious conference domain - eursatory2014.com

Similar to the Hungarian Defense Ministry, SAIC was the target of a spoofed conference website.  In this case it was for the "Future Forces 2014" conference and the intent was to trick email recipients into providing their webmail credentials.

  • Real conference domain - natoexhibition.org
  • Malicious conference domain - natoexhibitionff14.com

Additionally the attackers are using malicious attachments to install malware on unsuspecting victims computers.  This is exactly what they do to users not in heightened security industries, only in these cases the attachments tend to be more specific to get the intended victim to open them.

Whereas many people receive and unfortunately open attachments that say "Undeliverable USPS Parcel Shipping Details" those in who work for more security entrenched targets are more specifically targeted with documents they won't suspect as being malicious:

Military official in Pakistan received a Word document claiming to relate to the Homeland Security Summit in the Middle East.

Polish government employees received a document related to the shooting down of flight MH17 over Ukraine. Military officials in multiple countries received an Excel attachment posing as a list of journalists accredited at the APEC Summit 2013.

From Operation Pawn Storm - A Trend Micro Research Paper

Vatican Embassy in Iraq received a Word document claiming to be about a bombing the day before.

It's not USPS package that wasn't deliverable, it's specific, relevant information to the targeted recipient.

From these examples you can see how social engineering works across all spectrums and cyber criminals have become adept at exact targeting of their victims to get the desired information or result from the attack.

Read more...

Diary Queen Hit By Same Malware That Hit Target and The UPS Stores

DGMalware, named Backoff, has been found on Dairy Queen Point of Sale computers in numerous states including Nevada.  The states with known infections are Alaska, Alabama, Arkansas, Arizona, California, Colorado, Connecticut, Delaware, Florida, Georgia, Iowa, Idaho, Indiana, Illinois, Kansas, Kentucky, Massachusetts, Maryland, Maine, Michigan, Minnesota, Missouri, Mississippi, Montana, North Carolina, North Dakota, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, Wisconsin, West Virginia and Wyoming.

In case you're keeping count, that's only Hawaii, Rhode Island, Louisiana, and Vermont without known Backoff infections.  This does not mean that every Dairy Queen in these states has been infected, for instance there are only two locations with known infections in Nevada both in Las Vegas.  Click here for a full list of affected Dairy Queens.

Most Dairy Queen locations are independent franchises and at the time of the malware detection Dairy Queen did not have a policy requiring the independent franchises to notify Dairy Queen corporate of the breach.  It is likely after these incidents Dairy Queen will put this kind of policy in place.  As a result there may still be additional Dairy Queens that have the Backoff malware, but have not yet disclosed that information.

Julie Conroy of Aite Group told KrebsOnSecurity, "This goes back to the eternal challenge with all small merchants, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don't' think they are a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they're not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule."

Most people are familiar with the Target, UPS Store, or Supervalu breaches, either because you've received a replacement credit card in the mail or from news coverage, but how does this malware work and why are we continuing to see new infections and breaches?

First while we call it by a single name, Backoff has multiple variants, each new variant trying to make it so that Anti-Virus software won't detect and thereby block it.  Second is like Julie Conroy said often smaller companies don't believe themselves vulnerable to attacks like Backoff and either aren't running a quality anti-virus or aren't keeping their anti-virus up-to-date.

Either of those choices can have disastrous consequences.  Backoff infections are multiplying at an alarming rate, in July 2014 SC Info Security News Magazine reported that "Nearly 600 U.S. businesses compromised by 'Backoff' POS malware." by the end of August the Wall Street Journal reported, "More than 1,000 businesses affected by 'Backoff' malware."  If you count each Dairy Queen as a separate business, they account for over 400 infections alone.

Backoff is installed on Point of Sale terminals typically by attackers compromising remote access tools that allow users to connect to the computers via the Internet; often the compromise is as a result of the remote access account having too weak or an easy to guess password.

(See our article on password security.)

Once access is gained Backoff works as a simple backdoor Trojan that installs itself as a running service that initializes itself after startup, making it survive a reboot.  After it's installed Backoff opens port 80 and waits for instructions from the command and control server.  Backoff also cleverly hides itself by pretending to be an Adobe Flash Player update in the system registry.

What can small businesses do to protect themselves and their customers?  Most of it comes down to putting the right processes and protection in place and from there it's about network vigilance.  One giveaway, that someone monitoring your network should catch, would be port 80 being open; this would be unusual for a Point of Sale system unless a particular software required it, and in that case the person or company you have overseeing your network would keep note of any possible security concerns that could arise.

If you're in Northern Nevada and have questions or concerns about the vulnerability of your business's Point of Sale system give Top Speed Computer Service a call and we'll come out do an evaluation.  775-852-4333

Read more...

Fake FedEx Package Undeliverable Notice Or A Secret Surprise Parcel?

A fake FedEx email is making the rounds and because the link to get the shipping information is cleverly hidden in an image you might be tempted to click before evaluating the legitimacy of this email. Fake_Fedex We'll take this email apart step by step so you can get an understanding of just how fake it is.

Let's start with the FedEx logo - how many of you noticed that the logo isn't quite right.  Here's their logo image from their website.

FedEx-Logo

Both the font and color are wrong in the email.  It's also missing the registered trademark or copyright symbol which is prevalent whenever you see "FedEx" used online and in emails.

Next, for the sake of logic, were you expecting a parcel from FedEx?  Or were you excited by the idea that someone sent you something unexpected so you hit "Get Shipment Label" before thinking about it?  And while we're considering it, where does "Get Shipment Label" take you?  It certainly doesn't take you to fedex.com - instead it takes you to master-insight.com.  Well what is that?  master-insight.com was registered earlier this year through GoDaddy to an entity appearing to be located in Hong Kong.

Not very likely that master-insight.com knows anything about any parcels either delivered or undeliverable to you.

So let's look at the who the email reports to be from: "FedEx SmartPost <This email address is being protected from spambots. You need JavaScript enabled to view it.>".  Ok so then what is fefmont.org?  Fefmont.org comes up as registered to an organization Franciscanas del Espiritu Santo de Montpellier in Madrid.  The organization in Madrid translates to Franciscan Sisters of the Holy Spirit and has domains franciscanasmontpellier.org and fefmont.es, .es is the country code for Spain.

Expecting a parcel from Spain were you?

Finally looking into the headers confirms the European tie.

FedexFake

195.76.183.201 is a RIPE IP Address (RIPE is the European version of ARIN which stands for American Registry for Internet Numbers).

After all of that, does anything about this email seem legitimate?  Obviously that was rhetorical.  But so many will be so excited by a secret surprise parcel that they won't stop to evaluate the legitimacy of this email before clicking "Get Shipment Label"...

Read more...
Subscribe to this RSS feed

Contact us

Phone: (775) 852-1811

Toll Free: (866) 511-1331

Fax: (775) 852-1844

Email: info@tsis.net

Physical Address:

8755 Technology Way

Suite J

Reno, NV 89521

Log in or Sign up